公开(公告)号：US11303611B1

公开(公告)日：2022-04-12

申请号：US16525270

申请日：2019-07-29

Applicant: Cisco Technology, Inc.

Inventor： Umamaheswararao Karyampudi ,  Murukanandam K. Panchalingam ,  Muralidhar Annabatula ,  Madhuryamayi Mani ,  Darpan R. Kathoke ,  Chong M. Tan ,  Azeem M. Suleman

IPC: H04L29/06

Abstract: Techniques for generating and enforcing whitelist security policies in a communication network are disclosed. A first plurality of whitelist policies are consolidated into a second plurality of whitelist policies based on populating a plurality of tables. The populated tables include a first table including pairs of endpoints and associating each pair of endpoints with a service identifier, and a second table associating the service identifiers with the policy identifiers. The second plurality of whitelist policies are programmed into a network device in the communication network, based on at least one of the plurality of tables. Rules governing traffic between the pair of endpoints are enforced, at the network device, using the programmed second plurality of whitelist policies.

公开(公告)号：US11184325B2

公开(公告)日：2021-11-23

申请号：US16431615

申请日：2019-06-04

Applicant: Cisco Technology, Inc.

Inventor： Murukanandam K. Panchalingam ,  Umamaheswararao Karyampudi ,  Muralidhar Annabatula ,  Darpan R. Kathoke ,  Junyun Li

IPC: H04L29/06 ,  H04L29/08

Abstract: The present disclosure provides for application-centric enforcement for multi-tenant workloads with multi-site data center fabrics by: receiving, at a local switch at a first site, a packet from a first host at the first site intended for a second host located at a second site; identifying class identifiers (ID) for the hosts; determining, based on the class IDs, a security policy for transmitting data between the hosts; in response to determining that the security policy indicates that the second site exclusively manages security policies for the hosts' network: setting a policy applied indicator on the packet indicating that enforcement of the security policy is delegated from the first switch to a second switch connected to the second host; including the class IDs in the packet; and transmitting the packet to the second site.